Improvements in technology relating to implantable medical devices (“IMDs”), especially in the areas of power storage, conservation, and miniaturization, have made it possible to equip modern implantable medical devices with wireless telecommunications functions. The benefits of such communication include the capability to make requests to the IMD to transmit information, for example, remaining battery life, number of therapeutic events that have occurred, or certain patient health data, as well as transmitting instructions to the device to change treatment modalities, frequency, or the like. All of these communications are motivated by the imperative on the part of all parties to maximize the patient's health and treatment outcome, and as part of this criteria for success, are also driven by the desire to avoid a situation where the IMD must be removed from the patient or any invasive procedure relating to the patient becomes necessary. Attendant to the risk involved in any surgical or invasive procedure is the cost associated with such procedures when carried out according to the applicable standard of care.
In utilizing the benefits of communication with an IMD while leaving the IMD in the patient, wireless communications are ideally suited and to date are the only practical way to regularly exchange information with the IMD while it remains in its implanted state. Accordingly, the use of telecommunications for IMD administration may include communications to or from an IMD, or alternatively among in vitro (i.e., not implanted) IMD-administration devices (collectively referred to alternately herein as “telemetry,” regardless of whether communications are being transmitted to or from the IMD or administration device, and further regardless of whether a measurement is being transmitted (as opposed to, for example, updated instructions to an IMD).
While telemetry, and particularly IMD telemetry, may make the treatment of disease states or other medical conditions more convenient and effective, it is important to ensure that the use of telemetry does not permit a third-party to interfere in the administration of such devices. For example, eavesdropping alone may compromise patient data that may be protected under certain data privacy regimes, e.g. the Health Insurance Privacy and Accountability Act (“HIPAA”). Even more critically, if a telemetry communication from an administration device to a medical device is interfered with, an important therapy that was intended may not be administered to a patient hosting the implanted device, presumably resulting in suboptimal treatment outcomes. If a malicious third party intercepted a communication and replaced it with a bogus instruction to a device, or even repeated a legitimate instruction to cause an implant to administer incorrect or excessive therapies, adverse effects on the implant's host may result.
To date, most common wireless communications protocols suitable to IMD telemetry applications are of a “broadcast,” rather than of a directional nature. Accordingly, if an IMD is in range of a telemetry signal (or, when communications originate with the IMD, a receiving device is in range of the IMD), we may generally assume that any receiving device in range of the signal may access the signal, whether or not that access is intended by the caregiver and/or patient.
The low distance range of many telemetry transactions involving IMDs, has to a certain extent effected a kind of physical layer authentication. In other words, most unauthorized access to IMD-related communications is not feasible because an unauthorized party must be so close to the transmitting device that the physical presence of the eavesdropper (or their tools) would be apparent to the parties legitimately sending or receiving such information. However, the range of telemetry applications is constantly expanding, and at some point it may be contemplated, for example, to interrogate an IMD while a patient is seated in a physician waiting room, even though the intended receiving device is in another room altogether. As the distance necessary for communication between the IMD and external hardware becomes longer, so to does the opportunity for interlopers or eavesdroppers to receive, interfere with, or even manipulate the communications signals.
It is also important that messages are “fresh,” i.e., that they have been transmitted recently, and only once. For example, duplicate communications of data from a diagnostic sensor that falsely indicate no change in a patient's physiological condition in spite of therapy being applied may result in excess therapy or other unnecessary medical intervention with its attendant risks. In addition to message privacy (i.e., encryption), true data security requires both message integrity and message freshness. Without all three, gaps will exist that may be exploited by a malicious third party, or indeed may permit errors without malice. Of course, whether or not such exploitation is likely is not particularly relevant from a design standpoint—the security of the telemetry should be ensured to prevent any eavesdropping or interception regardless of the actual potential for problems arising from the interception scenario being considered.
Previous approaches to telemetry security involved, for example, server-based authentication and storage—in this way, no permanent key information would ever be stored on equipment. However, this approach requires a secure communications channel to a server that is available around the clock. It also requires clinicians to be authenticated to the server system prior to their administration of a body area network (BAN) device or node.
Alternatively, biometric tokens (such as key fobs), have been used to authenticate IMD support appliances to IMDs. However, this approach subjected the authentication keys (both the biometric key and the IMD key) to loss, and the token could also be forgotten by patients presenting for IMD administration, which would tend to inconveniently require that care be postponed. Tokens augmented by passwords similarly were subject to loss, noncompliance (failure to bring the token to an appointment, or forgetting the authentication information), and similarly were subject to compromise if lost or stolen.